summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2018-07-27 16:38:00 +0200
committerMatthieu Herrb <matthieu@herrb.eu>2018-08-21 16:43:22 +0200
commite83722768fd5c467ef61fa159e8c6278770b45c2 (patch)
tree60bfca73d8cd3890c1bdabadc359bc6dc42617f6
parentdbf72805fd9d7b1846fe9a11b46f3994bfc27fea (diff)
Fixed crash on invalid reply (CVE-2018-14598).
If the server sends a reply in which even the first string would overflow the transmitted bytes, list[0] (or flist[0]) will be set to NULL and a count of 0 is returned. If the resulting list is freed with XFreeExtensionList or XFreeFontPath later on, the first Xfree call: Xfree (list[0]-1) turns into Xfree (NULL-1) which will most likely trigger a segmentation fault. I have modified the code to return NULL if the first string would overflow, thus protecting the freeing functions later on. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-rw-r--r--src/GetFPath.c5
-rw-r--r--src/ListExt.c5
2 files changed, 10 insertions, 0 deletions
diff --git a/src/GetFPath.c b/src/GetFPath.c
index 813757cc..87d25761 100644
--- a/src/GetFPath.c
+++ b/src/GetFPath.c
@@ -78,6 +78,11 @@ char **XGetFontPath(
length = *(unsigned char *)ch;
*ch = '\0'; /* and replace with null-termination */
count++;
+ } else if (i == 0) {
+ Xfree(flist);
+ Xfree(ch);
+ flist = NULL;
+ break;
} else
flist[i] = NULL;
}
diff --git a/src/ListExt.c b/src/ListExt.c
index 0498aa18..a795041d 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -83,6 +83,11 @@ char **XListExtensions(
length = *(unsigned char *)ch;
*ch = '\0'; /* and replace with null-termination */
count++;
+ } else if (i == 0) {
+ Xfree(list);
+ Xfree(ch);
+ list = NULL;
+ break;
} else
list[i] = NULL;
}